Kwampirs threat actor continues to breach transnational healthcare orgs

The Kwampirs (aka Orangeworm) attack group continues to target global healthcare entities in this time of crisis, the FBI has warned.

“Targeted entities range from major transnational healthcare companies to local hospital organizations,” the Bureau noted.

“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.”

Kwampirs

This is the third FBI private industry notification since the beginning of the year about the group’s activities and the modular Kwampirs RAT it uses.

According to the alert:

• The attack group first establishes a broad and persistent presence on the targeted network and then delivers and executes the Kwampir RAT and other malicious payloads
• Kwampirs actors have successfully gained and sustained persistent presence on victim networks for a time period ranging from three to 36 months
• The Kwampir RAT is modular and, depending on the target, different modules are dropped. But it seems that the threat actors main goal is cyber espionage
• Significant intrusion vectors include: lateral movement between company networks during mergers and acquisitions; malware being passed between entities through shared resources and internet facing resources during the software co-development process; and software supply chain vendors installing infected devices on the customer/corporate LAN or customer/corporate cloud infrastructure.

“Kwampirs campaign actors have targeted companies in the imaging industry, to include networked scanner and copier-type devices, with domain access to customer networks. The FBI assesses these imaging vendors are targeted to gain access to customer networks, including remote or cloud management access, which could permit lateral CNE movement within victim networks,” the FBI added.

While the Kwampirs/Orangeworm threat actors is considered to be an APT (Advanced Persistent Threat), it is currently unknown whether they are state-backed.

What is known is that they don’t go after PII, payment card data, and are not interested in destroying or encrypting data for ransom – though, according to the FBI, several code-based similarities exist between the Kwampirs RAT and the Shamoon/Disstrack wiper malware.

The group also doesn’t limit their targeting to healthcare and software supply chain organizations. To a lesser extent, they go after companies in the energy and engineering industry as well as financial institutions and prominent law firms, across the United States, Europe, Asia, and the Middle East.

Defense and post-infection remediation

The notice delivers best practices for network security and defense to be incorporated before infection, recommended post-infection actions and identifies residual Kwampirs RAT host artifacts that can help companies to determine if they were a victim.

Indicators of compromise and YARA rules to identify Kwampirs malware have been provided in separate documents.

SANS ISC handler (and Dean of Research at the SANS Technology Institute Twitter) Johannes Ullrich notes that Kwampirs will likely enter an organization’s network undetected as part of a software update from a trusted vendor.

“Anti-malware solutions will detect past versions. But do not put too much trust in anti-malware to detect the next version that is likely tailored to your organization,” he added, and offered helpful advice for writing abstracted detection signatures that might come in handy.

While not recently updated, the MITRE ATT&CK entry for the Kwampirs malware may also be helpful. For more technical details about the malware, you might want to check out ReversingLabs’s recent analysis.